PicoCTF Level2 WriteUp

Web

My First SQL

网页是一个登录界面，尝试万能密码。

admin
'or'1'='1

成功登陆。

分析sql查询语句如下
select * from users where user = 'admin' and pass = ''or'1'='1';

flag:be_careful_what_you_let_people_ask_1b3db77df6b116a38db8ceb7c81cb14c

TW_GR_E1_ART

TW_GR_E1_ART
Oh, sweet, they made a spinoff game to Toaster Wars! That last room has a lot of flags in it though. I wonder which is the right one...? Check it out here.

 HINTS
  I think this game is running on a Node.js server. If it's configured poorly, you may be able to access the server's source. If my memory serves me correctly, Node servers have a special file that lists dependencies and a start command; maybe you can use that file to figure out where the other files are?

题目是一个运行在node.js的js游戏，玩了一会，在第4层发现了好多flag，随便挑一个使用，发现所有的道具都被销毁了，可能这是一个假的flag。。。

看了一下writeup，所有node.js server都会有一个package.json储存配置信息，先访问看看。

{
  "name": "rogue-1",
  "version": "1.0.0",
  "main": "server/serv.js",
  "dependencies": {
    "beautiful-log": "^1.3.0",
    "body-parser": "^1.16.0",
    "callsite": "^1.0.0",
    "clone": "^2.1.0",
    "colors": "^1.1.2",
    "cookie-parser": "^1.4.3",
    "deep-diff": "^0.3.4",
    "dequeue": "^1.0.5",
    "express": "^4.14.1",
    "mongodb": "^2.2.25",
    "morgan": "^1.7.0",
    "nconf": "^0.8.4",
    "promise": "^7.1.1",
    "socket.io": "^1.7.2",
    "sprintf": "^0.1.5"
  },
  "devDependencies": {},
  "scripts": {
    "prestart": "node server/init.js",
    "start": "node server/serv.js"
  }
}

CRYPTOGRAPHY

SoRandom

题目：

We found sorandom.py running at shell2017.picoctf.com:37968. It seems to be outputting the flag but randomizing all the characters first. Is there anyway to get back the original flag?
Update (text only) 16:16 EST 1 Apr Running python 2 (same version as on the server)

  HINTS
    How random can computers be?

加密脚本

#!/usr/bin/python -u
import random,string

flag = "FLAG:"+open("flag", "r").read()[:-1]
encflag = ""
random.seed("random")
for c in flag:
  if c.islower():
    #rotate number around alphabet a random amount
    encflag += chr((ord(c)-ord('a')+random.randrange(0,26))%26 + ord('a'))
  elif c.isupper():
    encflag += chr((ord(c)-ord('A')+random.randrange(0,26))%26 + ord('A'))
  elif c.isdigit():
    encflag += chr((ord(c)-ord('0')+random.randrange(0,10))%10 + ord('0'))
  else:
    encflag += c
print "Unguessably Randomized Flag: "+encflag

在终端nc题目给出的端口，返回了BNZQ:jn0y1313td7975784y0361tp3xou1g44

加密脚本看似是生成的随机数，但是用了seed()函数，那么生成的随机数序列一定是固定的，那么只需要逆序就好了，这里注意python随机数在windows和linux下是不同的，这个脚本要放在linux下跑。

解密脚本

#!/usr/bin/python -u
import random,string

flag = ""
encflag = "BNZQ:jn0y1313td7975784y0361tp3xou1g44"
random.seed("random")
for c in encflag:
  if c.islower():
    #rotate number around alphabet a random amount
    flag += chr((ord(c)-ord('a')+26-random.randrange(0,26))%26 + ord('a'))
  elif c.isupper():
    flag += chr((ord(c)-ord('A')+26-random.randrange(0,26))%26 + ord('A'))
  elif c.isdigit():
    flag += chr((ord(c)-ord('0')+10-random.randrange(0,10))%10 + ord('0'))
  else:
    flag += c
print flag

flag：FLAG:ac8c0490fb0508767f1625cb8cea8c34